dtucker [Sat, 24 Oct 2009 00:40:32 +0000 (00:40 +0000)]
- (dtucker) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2009/10/11 23:03:15
[hostfile.c]
mention the host name that we are looking for in check_host_in_hostfile()
dtucker [Sun, 11 Oct 2009 10:52:10 +0000 (10:52 +0000)]
- dtucker@cvs.openbsd.org 2009/10/11 10:41:26
[sftp-client.c]
d_type isn't portable so use lstat to get dirent modes. Suggested by and
"looks sane" deraadt@
dtucker [Sun, 11 Oct 2009 10:51:40 +0000 (10:51 +0000)]
- jmc@cvs.openbsd.org 2009/10/08 20:42:12
[sshd_config.5 ssh_config.5 sshd.8 ssh.1]
some tweaks now that protocol 1 is not offered by default; ok markus
dtucker [Sun, 11 Oct 2009 10:51:08 +0000 (10:51 +0000)]
- (dtucker) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2009/10/08 14:03:41
[sshd_config readconf.c ssh_config.5 servconf.c sshd_config.5]
disable protocol 1 by default (after a transition period of about 10 years)
ok deraadt
dtucker [Sun, 11 Oct 2009 10:50:20 +0000 (10:50 +0000)]
- (dtucker) [configure.ac sftp-client.c] Remove the gyrations required for
dirent d_type and DTTOIF as we've switched OpenBSD to the more portable
lstat.
dtucker [Tue, 6 Oct 2009 23:46:29 +0000 (23:46 +0000)]
- djm@cvs.openbsd.org 2009/08/20 18:43:07
[ssh-com-sftp.sh]
fix one sftp -D ... => sftp -P ... conversion that I missed; from Carlos
Silva for Google Summer of Code
dtucker [Tue, 6 Oct 2009 23:43:57 +0000 (23:43 +0000)]
- djm@cvs.openbsd.org 2009/08/13 01:11:55
[sftp-batch.sh sftp-badcmds.sh sftp.sh sftp-cmds.sh sftp-glob.sh]
date: 2009/08/13 01:11:19; author: djm; state: Exp; lines: +10 -7
Swizzle options: "-P sftp_server_path" moves to "-D sftp_server_path",
add "-P port" to match scp(1). Fortunately, the -P option is only really
used by our regression scripts.
part of larger patch from carlosvsilvapt@gmail.com for his Google Summer
of Code work; ok deraadt markus
dtucker [Tue, 6 Oct 2009 23:31:56 +0000 (23:31 +0000)]
- djm@cvs.openbsd.org 2009/08/13 00:57:17
[regress/Makefile]
regression test for port number parsing. written as part of the a2port
change that went into 5.2 but I forgot to commit it at the time...
dtucker [Tue, 6 Oct 2009 23:30:57 +0000 (23:30 +0000)]
- dtucker@cvs.openbsd.org 2009/05/05 07:51:36
[regress/multiplex.sh]
Always specify ssh_config for multiplex tests: prevents breakage caused
by options in ~/.ssh/config. From Dan Peterson.
dtucker [Tue, 6 Oct 2009 23:30:06 +0000 (23:30 +0000)]
- djm@cvs.openbsd.org 2008/12/07 22:17:48
[regress/addrmatch.sh]
match string "passwordauthentication" only at start of line, not anywhere
in sshd -T output
dtucker [Tue, 6 Oct 2009 22:02:18 +0000 (22:02 +0000)]
- djm@cvs.openbsd.org 2009/10/06 04:46:40
[session.c]
bz#1596: fflush(NULL) before exec() to ensure that everying (motd
in particular) has made it out before the streams go away.
dtucker [Tue, 6 Oct 2009 22:01:03 +0000 (22:01 +0000)]
- djm@cvs.openbsd.org 2009/09/01 14:43:17
[ssh-agent.c]
fix a race condition in ssh-agent that could result in a wedged or
spinning agent: don't read off the end of the allocated fd_sets, and
don't issue blocking read/write on agent sockets - just fall back to
select() on retriable read/write errors. bz#1633 reported and tested
by "noodle10000 AT googlemail.com"; ok dtucker@ markus@
dtucker [Tue, 6 Oct 2009 21:47:02 +0000 (21:47 +0000)]
- djm@cvs.openbsd.org 2009/08/27 17:44:52
[authfd.c ssh-add.c authfd.h]
Do not fall back to adding keys without contraints (ssh-add -c / -t ...)
when the agent refuses the constrained add request. This was a useful
migration measure back in 2002 when constraints were new, but just
adds risk now.
bz #1612, report and patch from dkg AT fifthhorseman.net; ok markus@
dtucker [Tue, 6 Oct 2009 21:46:21 +0000 (21:46 +0000)]
- djm@cvs.openbsd.org 2009/08/27 17:43:00
[sftp-server.8]
allow setting an explicit umask on the commandline to override whatever
default the user has. bz#1229; ok dtucker@ deraadt@ markus@
dtucker [Tue, 6 Oct 2009 21:45:48 +0000 (21:45 +0000)]
- djm@cvs.openbsd.org 2009/08/27 17:33:49
[ssh-keygen.c]
force use of correct hash function for random-art signature display
as it was inheriting the wrong one when bubblebabble signatures were
activated; bz#1611 report and patch from fwojcik+openssh AT besh.com;
ok markus@
dtucker [Tue, 6 Oct 2009 21:44:42 +0000 (21:44 +0000)]
- djm@cvs.openbsd.org 2009/08/27 17:28:52
[sftp-server.c]
allow setting an explicit umask on the commandline to override whatever
default the user has. bz#1229; ok dtucker@ deraadt@ markus@
dtucker [Tue, 6 Oct 2009 21:37:48 +0000 (21:37 +0000)]
- djm@cvs.openbsd.org 2009/08/18 18:36:21
[sftp-client.h sftp.1 sftp-client.c sftp.c]
recursive transfer support for get/put and on the commandline
work mostly by carlosvsilvapt@gmail.com for the Google Summer of Code
with some tweaks by me; "go for it" deraadt@
dtucker [Tue, 6 Oct 2009 21:24:19 +0000 (21:24 +0000)]
- djm@cvs.openbsd.org 2009/08/14 18:17:49
[sftp-client.c]
make the "get_handle: ..." error messages vaguely useful by allowing
callers to specify their own error message strings.
dtucker [Tue, 6 Oct 2009 21:23:06 +0000 (21:23 +0000)]
- djm@cvs.openbsd.org 2009/08/13 01:11:19
[sftp.1 sftp.c]
Swizzle options: "-P sftp_server_path" moves to "-D sftp_server_path",
add "-P port" to match scp(1). Fortunately, the -P option is only really
used by our regression scripts.
part of larger patch from carlosvsilvapt@gmail.com for his Google Summer
of Code work; ok deraadt markus
dtucker [Tue, 6 Oct 2009 21:21:48 +0000 (21:21 +0000)]
- djm@cvs.openbsd.org 2009/08/12 00:13:00
[sftp.c sftp.1]
support most of scp(1)'s commandline arguments in sftp(1), as a first
step towards making sftp(1) a drop-in replacement for scp(1).
One conflicting option (-P) has not been changed, pending further
discussion.
Patch from carlosvsilvapt@gmail.com as part of his work in the
Google Summer of Code
- (dtucker) [configure.ac] Change the -lresolv check so it works on Mac OS X
10.6 (which doesn't have BIND8_COMPAT and thus uses res_9_query). Patch
from jbasney at ncsa uiuc edu.
- (dtucker) [configure.ac] Bug #1639: use AC_PATH_PROG to search the path for
krb5-config if it's not in the location specified by --with-kerberos5.
Patch from jchadima at redhat.
dtucker [Fri, 28 Aug 2009 01:21:06 +0000 (01:21 +0000)]
- (dtucker) [clientloop.c configure.ac defines.h] Make the client's IO buffer
size a compile-time option and set it to 64k on Cygwin, since Corinna
reports that it makes a significant difference to performance. ok djm@
dtucker [Fri, 28 Aug 2009 01:02:37 +0000 (01:02 +0000)]
- (dtucker) [channels.c configure.ac] Bug #1528: skip the tcgetattr call on
the pty master on Solaris, since it never succeeds and can hang if large
amounts of data is sent to the slave (eg a copy-paste). Based on a patch
originally from Doke Scott, ok djm@
djm [Fri, 28 Aug 2009 00:40:30 +0000 (00:40 +0000)]
- (djm) [sshd_config.5] downgrade mention of login.conf to be an example
and mention PAM as another provider for ChallengeResponseAuthentication;
bz#1408; ok dtucker@
dtucker [Thu, 20 Aug 2009 06:20:50 +0000 (06:20 +0000)]
- (dtucker) [session.c openbsd-compat/port-aix.h] Bugs #1249 and #1567: move
the setpcred call on AIX to immediately before the permanently_set_uid().
Ensures that we still have privileges when we call chroot and
pam_open_sesson. Based on a patch from David Leonard.
dtucker [Thu, 20 Aug 2009 06:16:01 +0000 (06:16 +0000)]
- (dtucker) [includes.h] Bug #1634: do not include system glob.h if we're not
using it since the type conflicts can cause problems on FreeBSD. Patch
from Jonathan Chen.
dtucker [Sun, 16 Aug 2009 23:35:22 +0000 (23:35 +0000)]
- (dtucker) [configure.ac] Check for headers before libraries for openssl an
zlib, which should make the errors slightly more meaningful on platforms
where there's separate "-devel" packages for those.
- (dtucker) [openbsd-compat/getrrsetbyname.c] Reduce answer buffer size so it
fits into 16 bits to work around a bug in glibc's resolver where it masks
off the buffer size at 16 bits. Patch from Hauke Lampe, ok djm jakob.
- dtucker@cvs.openbsd.org 2009/07/02 02:11:47
[ssh.c]
allow for long home dir paths (bz #1615). ok deraadt
(based in part on a patch from jchadima at redhat)
- andreas@cvs.openbsd.org 2009/06/27 09:35:06
[readconf.h readconf.c]
Add client option UseRoaming. It doesn't do anything yet but will
control whether the client tries to use roaming if enabled on the
server. From Martin Forssen.
ok markus@
- andreas@cvs.openbsd.org 2009/06/27 09:32:43
[roaming_common.c roaming.h]
It may be necessary to retransmit some data when resuming, so add it
to a buffer when roaming is enabled.
Most of this code was written by Martin Forssen, maf at appgate dot com.
ok markus@
- andreas@cvs.openbsd.org 2009/06/27 09:29:06
[packet.h packet.c]
packet_bacup_state() and packet_restore_state() will be used to
temporarily save the current state ren resuming a suspended connection.
ok markus@
dtucker [Mon, 22 Jun 2009 06:11:06 +0000 (06:11 +0000)]
- dtucker@cvs.openbsd.org 2009/06/22 05:39:28
[monitor_wrap.c monitor_mm.c ssh-keygen.c auth2.c gss-genr.c sftp-client.c]
alphabetize includes; reduces diff vs portable and style(9).
ok stevesk djm
(Id sync only; these were already in order in -portable)
dtucker [Sun, 21 Jun 2009 09:08:48 +0000 (09:08 +0000)]
- dtucker@cvs.openbsd.org 2009/06/21 09:04:03
[roaming.h roaming_common.c roaming_dummy.c]
Add tags for the benefit of the sync scripts
Also: pull in the changes for 1.1->1.2 missed in the previous sync.
dtucker [Sun, 21 Jun 2009 09:00:20 +0000 (09:00 +0000)]
- dtucker@cvs.openbsd.org 2009/06/21 07:37:15
[kexdhs.c kexgexs.c]
abort if key_sign fails, preventing possible null deref. Based on report
from Paolo Ganci, ok markus@ djm@
dtucker [Sun, 21 Jun 2009 08:58:46 +0000 (08:58 +0000)]
- andreas@cvs.openbsd.org 2009/06/12 20:43:22
[monitor.c packet.c]
Fix warnings found by chl@ and djm@ and change roaming_atomicio's
return type to match atomicio's
Diff from djm@, ok markus@
dtucker [Sun, 21 Jun 2009 08:53:53 +0000 (08:53 +0000)]
- andreas@cvs.openbsd.org 2009/05/28 16:50:16
[sshd.c packet.c serverloop.c monitor_wrap.c clientloop.c sshconnect.c
monitor.c Added roaming.h roaming_common.c roaming_dummy.c]
Keep track of number of bytes read and written. Needed for upcoming
changes. Most code from Martin Forssen, maf at appgate dot com.
ok markus@
Also, applied appropriate changes to Makefile.in
dtucker [Sun, 21 Jun 2009 08:17:19 +0000 (08:17 +0000)]
- andreas@cvs.openbsd.org 2009/05/28 16:50:16
[sshd.c packet.c serverloop.c monitor_wrap.c clientloop.c sshconnect.c
monitor.c]
Keep track of number of bytes read and written. Needed for upcoming
changes. Most code from Martin Forssen, maf at appgate dot com.
ok markus@
dtucker [Sun, 21 Jun 2009 08:16:26 +0000 (08:16 +0000)]
- andreas@cvs.openbsd.org 2009/05/27 06:38:16
[sshconnect.h sshconnect.c]
Un-static ssh_exchange_identification(), part of a larger change from
Martin Forssen and needed for upcoming changes.
ok markus@
dtucker [Sun, 21 Jun 2009 08:15:25 +0000 (08:15 +0000)]
- andreas@cvs.openbsd.org 2009/05/27 06:36:07
[packet.h packet.c]
Add packet_put_int64() and packet_get_int64(), part of a larger change
from Martin Forssen.
dtucker [Sun, 21 Jun 2009 08:13:57 +0000 (08:13 +0000)]
- andreas@cvs.openbsd.org 2009/05/27 06:33:39
[clientloop.c]
Send SSH2_MSG_DISCONNECT when the client disconnects. From a larger
change from Martin Forssen, maf at appgate dot com.
ok markus@
dtucker [Sun, 21 Jun 2009 08:12:20 +0000 (08:12 +0000)]
- andreas@cvs.openbsd.org 2009/05/27 06:31:25
[canohost.h canohost.c]
Add clear_cached_addr(), needed for upcoming changes allowing the peer
address to change.
ok markus@
dtucker [Sun, 21 Jun 2009 07:56:51 +0000 (07:56 +0000)]
- stevesk@cvs.openbsd.org 2009/04/21 15:13:17
[sshd_config.5]
clarify we cd to user's home after chroot; ok markus@ on
earlier version; tweaks and ok jmc@
dtucker [Sun, 21 Jun 2009 07:50:15 +0000 (07:50 +0000)]
- tobias@cvs.openbsd.org 2009/03/23 19:38:04
[ssh-agent.c]
My previous commit didn't fix the problem at all, so stick at my first
version of the fix presented to dtucker.
Issue notified by Matthias Barkhoff (matthias dot barkhoff at gmx dot de).
ok dtucker
dtucker [Sun, 21 Jun 2009 07:49:36 +0000 (07:49 +0000)]
- tobias@cvs.openbsd.org 2009/03/23 08:31:19
[ssh-agent.c]
Fixed a possible out-of-bounds memory access if the environment variable
SHELL is shorter than 3 characters.
with input by and ok dtucker
dtucker [Sun, 21 Jun 2009 07:48:52 +0000 (07:48 +0000)]
- jmc@cvs.openbsd.org 2009/03/19 15:15:09
[ssh.1]
for "Ciphers", just point the reader to the keyword in ssh_config(5), just
as we do for "MACs": this stops us getting out of sync when the lists
change;
fixes documentation/6102, submitted by Peter J. Philipp
alternative fix proposed by djm
ok markus
dtucker [Mon, 4 May 2009 02:52:47 +0000 (02:52 +0000)]
- (dtucker) [sshlogin.c] Move the NO_SSH_LASTLOG #ifndef line to include
variable declarations. Should prevent unused warnings anywhere it's set
(only Crays as far as I can tell) and be a no-op everywhere else.
tim [Wed, 18 Mar 2009 18:25:02 +0000 (18:25 +0000)]
- (tim) [configure.ac] Remove setting IP_TOS_IS_BROKEN for Cygwin. The problem
that setsockopt(IP_TOS) doesn't work on Cygwin has been fixed since 2005.
Based on patch from vinschen at redhat com.
dtucker [Sun, 8 Mar 2009 00:40:27 +0000 (00:40 +0000)]
- (dtucker) [auth-passwd.c auth1.c auth2-kbdint.c auth2-none.c auth2-passwd.c
auth2-pubkey.c session.c openbsd-compat/bsd-cygwin_util.{c,h}
openbsd-compat/daemon.c] Remove support for Windows 95/98/ME and very old
version of Cygwin. Patch from vinschen at redhat com.
dtucker [Sat, 7 Mar 2009 11:22:35 +0000 (11:22 +0000)]
- (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}]
EVP_DigestUpdate does not exactly match the other OLD_EVP functions (eg
in openssl 0.9.6) so add an explicit test for it.